b"September 28, 2007\n\n\nMEMORANDUM FOR:            EMILY STOVER DeROCCO\n                           Assistant Secretary for Employment\n                            and Training\n\n\n\n\nFROM:                      ELLIOT P. LEWIS\n                           Assistant Inspector General\n                            for Audit\n\nSUBJECT:                   Insufficient Controls Over Hurricane-issued Debit\n                           Cards Created Opportunities for Fraud\n                           Management Letter No. 06-07-002-03-315\n\nINTRODUCTION\n\nThis Office of Inspector General (OIG) Management Letter is being issued as\npart of OIG\xe2\x80\x99s audit in response to the 2005 Gulf Coast hurricanes. The complete\nresults of the audit will be summarized in a roll-up report.\n\nWe are recommending ETA take corrective actions to ensure the Louisiana\nDepartment of Labor (LDOL) has adequate controls in place to safeguard\nUnemployment Compensation (UC) and Disaster Unemployment Assistance\n(DUA) benefits paid to its claimants by debit cards, and to recover any federally\nfunded benefits paid under the DUA grants that have not been claimed by or paid\nto its claimants.\n\nBACKGROUND\n\nFollowing Hurricanes Katrina and Rita, many residents from the Gulf Coast\nregion were displaced and forced to relocate to other parts of the country. Not\nonly were these individuals without a home, many had lost their means to earn\nan income and provide basic necessities for their families. As a result, an\nunprecedented number of individuals in Louisiana were eligible and did apply for\nassistance under one of two unemployment benefits programs. The first, State\nUC, provides benefits to eligible workers who are unemployed through no fault of\ntheir own, and meet eligibility requirements established by their states. UC\nbenefits are state-funded except for former federal employees. The second,\nDUA, provides financial assistance to individuals whose employment or self-\nemployment has been lost or interrupted as a direct result of a major disaster\ndeclared by the President of the United States. Before an individual can be\n\x0c                                                                                     ATTACHMENT\n\n\ndetermined eligible for DUA, it must be established that the individual is not\neligible for regular UC benefits.\n\nDUA is federally funded by the Federal Emergency Management Agency (FEMA)\nthrough transfer of funding to ETA for allocation of funds to State Workforce\nAgencies, such as LDOL. Immediately after all payment activity has been\nconcluded for a disaster\xe2\x80\x94up to 26 weeks after its declaration\xe2\x80\x94funding should be\nclosed out and unexpended funds returned to FEMA, via ETA.\n\nTo expedite the delivery of benefits, LDOL implemented a new payment method\nusing debit cards1. LDOL contracted with JPMorgan Chase to establish debit\ncard accounts for claimants, and transferred pertinent information to the\ncompany--name, address, full social security number (SSN), and birth date.\nJPMorgan Chase contracted with Oberthur Card Services (Oberthur) to produce\nand distribute these debit cards.\n\nDebit cards were sent to claimants based on addresses provided when they\ninitiated their claims. Because so many claimants subsequently relocated, debit\ncards were returned undelivered to LDOL, as well as Oberthur. Undelivered\ncards were reissued only when claimants contacted LDOL or JPMorgan Chase\nto update their new address.\n\nClaimants who did receive their debit cards were instructed to call a toll-free\nnumber and use JPMorgan Chase\xe2\x80\x99s Interactive Voice Response system to\nactivate their account and create a personal identification number (PIN) by\nentering their SSN and birth date. The PIN was a security measure to ensure\nthat only the person who activated the account could gain access to the\nunemployment benefits paid on the card.\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\n\nOur objectives were to determine if:\n\n    1. LDOL had adequate controls in place to ensure claimants eligible for\n       Hurricanes Katrina- and Rita-related UC and DUA received benefits paid\n       on debit cards;\n\n    2. LDOL retrieved from JPMorgan Chase UC and DUA benefits paid on\n       inactive debit cards; and\n\n    3. LDOL had sufficient evidence to support the amount of reimbursements\n       requested from ETA\xe2\x80\x99s DUA grants.\n\n\n\n1\n  Debit cards allow authorized users 24-hour online or ATM access to their accounts with the convenience,\nflexibility and spending power of a Visa\xc2\xae Check Card or MasterCard Banking Card.\n\n\n                                                    2\n\x0c                                                                                ATTACHMENT\n\n\nWe accomplished these objectives by:\n\n    1. Reviewing the processes LDOL, JPMorgan Chase, and Oberthur used to\n       manage and distribute debit cards to determine the sufficiency of controls\n       in place to ensure claimants received the benefits to which they were\n       entitled.\n\n        To assess the controls Oberthur had in place, we reviewed its Statement\n        on Auditing Standards (SAS) 70 report2, Independent Service Auditor\xe2\x80\x99s\n        Report on Controls Placed in Operation and Tests of Operational\n        Effectiveness, for the period of December 1, 2005 \xe2\x80\x93 May 31, 2006.\n\n    2. Matching LDOL payment records, as of October 23, 2006, against a data\n       file JPMorgan Chase provided to OIG that identified unactivated and\n       undelivered debit card accounts, as of November 14, 2006 (no new debit\n       cards were issued for hurricane-related claims after October 23, 2006), to\n       determine the amount of benefits that remained on these accounts 60 or\n       more days after the deposits were made.\n\n        To achieve our objectives, we relied on computer-processed data\n        contained in LDOL's payment records. We assessed the reliability of this\n        data and found it to be adequate except for a discrepancy that resulted\n        from a backlog in LDOL\xe2\x80\x99s processing of an unprecedented number of\n        transactions. We believe this discrepancy will be resolved once LDOL\n        eliminates the claims backlog. Therefore, we feel that the data reported in\n        LDOL's payment records are complete with the exception of these\n        unprocessed transactions.\n\n        We also relied on computer-processed data contained in the JPMorgan\n        Chase Data File. We did not establish the reliability of this data\n        because we had no means to assess the reliability of the reported\n        transactions. As a result, additional investigations are needed to confirm\n        whether the lack of controls affected legitimate claimants receiving\n        benefits to which they were entitled.\n\n    3. Comparing the total DUA benefits LDOL recorded as having paid for both\n       Hurricanes Katrina and Rita to its accounting records, as well as the\n       drawdowns it made from the ETA grants, to test the integrity of LDOL\xe2\x80\x99s\n       payment file and ensure the information we used in our analysis was\n\n\n\n2\n  SAS 70 reports are used to examine control activities for service organizations and providers to\ndemonstrate whether adequate controls and safeguards are in place when they host or process\ntheir client\xe2\x80\x99s data. A SAS-70 report was not available to cover the period when the debit cards\nwere first sent to LDOL\xe2\x80\x99s claimants--September 15, 2005, through November 30, 2005.\n\n\n\n                                                3\n\x0c                                                                                    ATTACHMENT\n\n\n        complete and accurate.\n\n    4. Reviewing the results of the LDOL Audit Division\xe2\x80\x99s review, performed\n       April 1 \xe2\x80\x93 May 21, 2006, over the security of debit cards returned to LDOL\xe2\x80\x99s\n       offices. No additional procedures were performed to support the reliability\n       of LDOL\xe2\x80\x99s findings.\n\nJPMorgan Chase investigates reports of fraud or misuse of debit cards in\naccordance with Regulation E3, but denied our request to review pending or\nclosed cases as they relate to debit cards issued to LDOL\xe2\x80\x99s claimants.\nTherefore, we cannot quantify the financial impact the control deficiencies\nidentified in this management letter has had if someone other than the intended\nclaimant obtained unauthorized unemployment benefits.\n\nOur audit period was based on benefits paid for the weeks ending September 10,\n2005, through June 3, 2006.4 We conducted fieldwork at LDOL\xe2\x80\x99s central\nadministrative offices in Baton Rouge, Louisiana, and analyzed LDOL\xe2\x80\x99s\nelectronic claims files in our Denver Office, from January 2006 to February 2007.\n\nRESULTS\n\nLDOL and JPMorgan Chase used procedures to administer debit cards that\ncreated opportunities for ineligible persons to gain access to benefits to\nwhich there were not entitled.\n\nSection 303(a)(1) of the Social Security Act requires that each state establish a\nsystem for paying unemployment benefits to qualified individuals who become\nunemployed through no fault of their own:\n\n        The Secretary of Labor shall make no\xe2\x80\xa6payment to any State\n        unless he finds that the law of such State\xe2\x80\xa6includes provision for\n        such methods of administration\xe2\x80\xa6to insure full payment of\n        unemployment compensation when due.\n\nTherefore, it is LDOL\xe2\x80\x99s responsibility to establish sufficient controls over its\ndisbursement of UC and DUA funds to ensure benefits are received by the\nintended qualified claimants.\n\n\n\n\n3\n  Regulation E, monitored and enforced by the Federal Reserve System, addresses Electronic\nFund Transfers. It establishes the rights, liabilities, and responsibilities of parties in electronic\nfunds transfers, and protects consumers when they use such systems.\n4\n Hurricane Katrina benefits were payable through the week ending June 3, 2006. Hurricane Rita\nbenefits were payable through the week ending June 24, 2006.\n\n\n\n                                                   4\n\x0c                                                                               ATTACHMENT\n\n\n\nControls over claimant security data\n\nLDOL and JPMorgan Chase circumvented controls they had in place to ensure\nthat debit card activation and benefit access was limited to authorized claimants.\nLDOL granted JPMorgan Chase customer service representatives (CSRs)\naccess to claimant security data, such as birthdates, SSNs, and addresses.\nCSRs had the capability to either reveal to claimants, or change, the birthdates\nrecorded in claimants\xe2\x80\x99 accounts, in order to facilitate the activation of their debit\ncards. Further, CSRs also had the capability to change the addresses to which\nre-issued debit cards were mailed.5\n\nJPMorgan Chase\xe2\x80\x99s Interactive Voice Response system required claimants to\nconfirm birthdates and SSNs in order to establish a PIN for and activate their\ndebit cards. Claims entered into DOL\xe2\x80\x99s system contained inaccurate security\ndata, resulting in claimants encountering problems with the activation process\nand contacting the CSRs for assistance. Instead of LDOL requiring the CSRs to\nrefer claimants to its offices to confirm other security data in LDOL\xe2\x80\x99s claims\nsystem \xe2\x80\x94past employers, employment dates, wages, etc.\xe2\x80\x94to establish the\nclaimants\xe2\x80\x99 identity before changing birthdates and addresses, LDOL allowed the\nCSRs to unilaterally change them. LDOL also allowed CSRs access to\nclaimants\xe2\x80\x99 full SSNs instead of just partial SSNs (i.e. the last four digits.) These\nactions created opportunities for ineligible persons, including the CSRs, to gain\naccess to benefits to which they were not entitled.\n\nControls over returned debit cards\n\nLDOL had implemented an inadequate policy for handling debit cards returned to\nits offices. While this policy instructed employees to immediately destroy\nreturned debit cards, it did not include controls to ensure accountability over\nthese cards, such as limiting who could receive them, or recording their receipt\nand destruction.\n\nWhile at LDOL\xe2\x80\x99s offices, we learned that debit cards had been returned as\nundelivered from the U.S. Postal Service, as well as directly from claimants6.\nLDOL\xe2\x80\x99s Audit Division informed us of its subsequent review of returned cards to\nevaluate the adequacy of physical controls over cards, as well as to determine\nwhether staff was in compliance with LDOL\xe2\x80\x99s established policies. As a result of\nthe review, the LDOL\xe2\x80\x99s Audit Division issued an internal memorandum to LDOL\nmanagement on June 1, 2006, outlining the following findings:\n5\n Claimants needed to provide CSRs with the SSN on an account to learn or change the\nassociated birth date, and had to provide the SSN and original address on the account to effect\nan address change.\n6\n  Some claimants who were not entitled to unemployment benefits or did not want this assistance\nreturned the debit cards they had received to LDOL.\n\n\n\n                                                5\n\x0c                                                                   ATTACHMENT\n\n\n\n   1. A tray of unsecured debit cards was found outside the offices of the LDOL\n      Accounting Division. Some cards were still intact and had not been\n      destroyed in accordance with LDOL policy.\n\n   2. LDOL employees were neither following, nor aware of, the established\n      policy for handling returned debit cards.\n\n   3. 30 debit card accounts were identified during the review as having\n      questionable social security numbers.\n\nThe controls LDOL had in place were not sufficient to properly handle and\naccount for debit cards returned to its offices, creating an opportunity for LDOL\nemployees--who have access to the LDOL claims system containing information\nneeded to activate debit cards--to activate the returned debit cards and illegally\ngain access to unemployment benefits.\n\nLDOL paid, and had not retrieved, approximately $1.2 million in hurricane-\nrelated benefits on 1,570 debit card accounts that were never activated.\n\nThe State of Louisiana paid, and had not retrieved, $1,193,379 in Hurricanes\nKatrina- and Rita-related UC and DUA benefits applied to 1,570 debit cards\naccounts that were never activated by the claimants. Of this amount, $354,070\nwas paid from the DUA grants.\n\nEmployment and Training Handbook, No. 356, Chapter IX, Closeout, states, in\npart:\n      Once payment activity has ceased or the end of the disaster\n      assistance period, it is important to close out the disaster as soon\n      as possible. This is necessary because disaster funds are no-year\n      funds and any unused state funds will be reobligated by FEMA for\n      future disasters.\n\nFurther, LDOL\xe2\x80\x99s Debit Card Business Rules require that UC and DUA funds paid\non debit card accounts with no activity within 60 days be returned to the agency.\n\nDelays in entering paid claims created a $2.7 million discrepancy in LDOL\xe2\x80\x99s\nrecords.\n\nAs of October 23, 2006, LDOL had drawn down $2,622,229 and $118,496 more\nfrom the DUA grants for Hurricanes Katrina- and Rita- related claims,\nrespectively, than it had evidence to support were paid by its claims system.\nLDOL officials claimed that these differences in DUA totals between the\naccounting and claims systems were the result of backlogged transactions they\nestimated would be completed and entered into the claims system within a year.\n\n\n\n\n                                        6\n\x0c                                                                  ATTACHMENT\n\n\nRegulations over the administration of DUA grants, Employment and Training\nHandbook No. 356, Chapter IX, Closeout, Financial Monitoring, require that\n\xe2\x80\x9cRegions . . . monitor each DUA project to ensure that excess funds are not\nbeing maintained by the State. . . .\xe2\x80\x9d\n\nRECOMMENDATIONS\n\nWe recommend that the Assistant Secretary for Employment and Training:\n\n1. Work with the LDOL to ensure adequate controls are in place, internally as\n   well as with contracted service organizations, to safeguard debit cards and\n   protect confidential information belonging to claimants. These procedures\n   should be evaluated to ensure the intended objectives are achieved and\n   effective in mitigating the risk of fraud;\n\n2. Ensure that LDOL takes action to adequately address the results of its Audit\n   Division\xe2\x80\x99s internal review;\n\n3. Work with LDOL to retrieve approximately $1.2 million from JPMorgan Chase\n   for UC and DUA benefits paid on inactive debit card accounts. In addition,\n   $354,070 of this amount should immediately be returned to ETA for benefits\n   paid under the DUA grants; and\n\n4. Monitor LDOL\xe2\x80\x99s processing of its backlogged claims to facilitate the\n   reconciliation of discrepancies between its accounting and claims systems.\n   Upon completion, collect any funds LDOL has drawn down in excess of\n   claims paid.\n\nAGENCY RESPONSE\n\nIn response to the draft Management Letter, the Assistant Secretary for\nEmployment and Training stated that LDOL has negotiated a new contract with\nJP Morgan Chase to safeguard debit cards and protect confidential information\nbelonging to claimants. Under the new contract, no funds will be deposited into\nan account until the debit card is activated, and the bank will provide LDOL a\ndaily list of inactive cards. LDOL has also retrieved approximately $38-40 million\nfrom JP Morgan Chase for benefits paid on inactive accounts. Further, it has\ncompleted an investigation of all findings reported by its Audit Division, and has\nestablished overpayments for State employees who were found to have received\nimproper benefits. ETA regional staff will monitor LDOL\xe2\x80\x99s collection efforts as\nwell as its reconciliation of discrepancies between its accounting and claims\nsystem and, further, will ensure that, where applicable, the DUA portion of funds\nis returned to the proper DUA grant. The Assistant Secretary\xe2\x80\x99s response is\nincluded in its entirety as an Attachment.\n\n\n\n\n                                        7\n\x0c                                                                 ATTACHMENT\n\n\nOIG CONCLUSION\n\nBased on the Assistant Secretary\xe2\x80\x99s response, we consider the recommendations\nresolved. They will be closed upon receipt of documentation to support LDOL\xe2\x80\x99s\nand ETA regional staff\xe2\x80\x99s actions taken to address the recommendations, as\ndescribed in the response.\n\nThis final Management Letter is submitted for appropriate action. We request a\nresponse within 60 days documenting actions taken in response to the\nrecommendations.\n\nIf you have any questions concerning this Management Letter, please contact\nDavid Williams, Regional Inspector General for Audit, in Dallas at (972) 850-\n4005.\n\nAttachment\n\ncc:   Howard Radzely\n      Acting Deputy Secretary\n\n      Phyllis Newby\n      ETA Audit Liaison\n\n\n\n\n                                       8\n\x0c    ATTACHMENT\n\n\n\n\n9\n\x0c     ATTACHMENT\n\n\n\n\n10\n\x0c"